Burp Suite
Burp Suite Intruder Documentation can be found here
Burp Suite Intruder Attack Type Documentation can be found here
There are four major types of attacks that can be used in Intruder:
Sniper
The most popular attack type, this cycles through our selected positions, putting the next available payload (item from our wordlist) in each position in turn. This uses only one set of payloads (one wordlist).
Battering Ram
Similar to Sniper, Battering Ram uses only one set of payloads. Unlike Sniper, Battering Ram puts every payload into every selected position. Think about how a battering ram makes contact across a large surface with a single surface, hence the name battering ram for this attack type.
Pitchfork
The Pitchfork attack type allows us to use multiple payload sets (one per position selected) and iterate through both payload sets simultaneously. For example, if we selected two positions (say a username field and a password field), we can provide a username and password payload list. Intruder will then cycle through the combinations of usernames and passwords, resulting in a total number of combinations equalling the smallest payload set provided.
Cluster bomb
The Cluster Bomb attack type allows us to use multiple payload sets (one per position selected) and iterate through all combinations of the payload lists we provide. For example, if we selected two positions (say a username field and a password field), we can provide a username and password payload list. Intruder will then cycle through the combinations of usernames and passwords, resulting in a total number of combinations equalling usernames x passwords. Do note, this can get pretty lengthy if you are using the community edition of Burp.
Intruder Attack Type Selection
For our purposes, we'll be returning to the SQL injection vulnerability we previously discovered through using Repeater.
Now we are getting ready for the actual attack, I found it useful to pull the intruder attack configuration document from here
Task 9 Flag 8
Performed the following steps to perform my SQLi Attack:
Proxy tab > HTTP history > (Located the a POST attempt at /rest/user/login), hit ctrl + i / sent to intruder
From Intruder tab > Positions, I setup my attack to be as follows (make sure to disable URL-Encoding under payloads, and import your SQLi fuzz payload)
Task 10 Flag 3
Make sure to look at your responses, and NOT requests!
Task 10 Flag 6 / 7
Both of these flags are dumb...